Security researchers at TrustWave SpiderLabs encountered a phishing scheme that acts like a chameleon by changing and blending its color based on its environment. The site adapts its background page and logo depending on the user input to trick victims into giving away their email credentials.
The phishing scheme starts with an email asking the target to click on a provided link to access a document. By clicking on the link, it leads to a fabricated webpage. The victim’s email address is already provided, where the site asks for the victims password.
The browser looks just like another run of the mill phishing site, notes SpiderLabs, but the phishing URLs format is the victim’s email address and is referenced on the URL fragment. By removing the fragment part of the URL containing the victims’ email address, the web graphics disappear, making the login page look bland. The researchers at Spider Labs created a dummy email address and username and used a common email provider domain like gmail.com and Outlook.com and the results changed for each domain.
The site acts like a chameleon by changing and blending its images to camouflage itself. The researchers noted four noticeable web elements that changed whenever they tested a new email address in the browser: the page’s background, a blurred logo, the title tab, and the capitalized text of the domain from the email address provider.
Related: Phishing, Ransomware Continue To Plague Businesses As Awareness Stagnates
SpiderLabs researchers took it deeper look into how the changes happen on the website’s backend by viewing the source code, however the site doesn’t allow that action when they did a right click of the mouse. Instead, they used a keyboard shortcut for this in a Google Chrome browser, CTRL+U, which opens a new page tab containing the code.
The scripts in the source code showed how the threat actors created their behind-the-scenes trickery. In the JavaScript code, the declared string variable my_slice was used. The supplied email address was validated with a regular expression then parsed to extract the domain name.
Here are SpiderLabs’ findings within the source code:
The Page Background
The iframe with ID mainPage was concatenated with text protocol https:// and the variable my_slice to be its source attribute. This action pulls in content from the domain in the email address, and this helps make the webpage believable, so the victim won’t notice that an incorrect webpage is being accessed.
The Blurred Logo
The code sourced the logo from Google favicon API. The my_slice variable was used in the API query to find the matching logo to make the phishing webpage realistic. The sourced logo seemed small, it was stretched, and that’s why it looks blurry on the webpage.
The Tab Title and the Capitalized Text Beside the Logo
The parsed domain name variable, my_slice, then undergoes another parsing, disregarding the TLD, extracting the brand, and using it for the logoname global variable.
The code also included various input text field validators to check the text of the email address and password.
As the victim keys in their password, a notification will appear, “Invalid Details, Please try again.” The submit button’s text shifts from Continue to Sign in. Unknowingly to the user, each time the button is clicked, the email and password data are forwarded to the attacker’s server. After three tries, it finally redirects the victim to the correct website. Once more, the variable my_slice is used by concatenating with “http://www.” to be the final landing page destination.
SpiderLabs warns these chameleon phishing sites are used repeatedly by malware authors to cleverly trick users into thinking these pages are real. The bad actors can customize the template and use other domains to host the scripts, allowing attackers to prey on unsuspecting users.
Leave a Reply